Hi Jeff, Le Fri, Jun 21, 2024 at 07:20:17AM +0800, Jeff Pang via mailop [mailop@mailop.org] a écrit: > today I clear up iptables rules, and run fail2ban again. > in half of an hour, it blocked 1400+ IPs. > > $ sudo iptables -L -n|grep DROP|wc -l > 1407 > > > it seems the black ips are coming endlessly. > most of the bad actions are like this one: > > postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL LOGIN > authentication failed: UGFzc3dvcmQ6 > > I am afraid too many iptables will slow down the performance of systems. > do you have any suggestion for handling this case?
iirc, current fail2ban can put the banned IPs in an ipset, which is very effcient for iptables filtering. Also, if the same IPs are comming back often, you could look the "recidive" rules, for long term ban, and/or (semi)manually check wether IPs are from somme common netblocks and add permanet rules to block them. -- Dominique Rousseau Neuronnexion, Prestataire Internet & Intranet 6 rue des Hautes cornes - 80000 Amiens tel: 03 22 71 61 90 - fax: 03 22 71 61 99 - http://www.neuronnexion.coop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop